I've read key images are the critical element in Monero to avoid double spends.
I think I understand how it works when you are using only one of your previously unspent transaction outputs to create a new transaction.
Let's say you have a previously unspent transaction output TXO_A.
In that case you create a ring signature joining your TXO_A with 4 other TXOs (TXO_B, TXO_C, TXO_D and TXO_E). The ring signature is formed in a way that everybody can validate that someone in the ring has signed it, but no one can tell who was the signer. Also, you have to attach a key image derived from TXO_A to the transaction so the protocol would never accept using the same TXO_A in a different transaction.
Here come my doubts: How is a transaction formed when you need to use 2 or more of your TXOs?
Imagine you have to pay 15 XMR and you don't have a single TXO with enough XMR. You'll have to use 2 different TXOs, for example: TXO_A1 with 10 XMR and TXO_A2 with 8 XMR.
In that case, the ring signature would be formed from TXO_A1, TXO_A2, TXO_B, TXO_C and TXO_D?
Evidently the protocol could not let you use again TXO_A1 nor TXO_A2, so there has to be a way to include key images from both TXO_A1 and TXO_A2.
But if you add explicitly 2 key images to the transaction, it leaks that you used 2 TXOs instead of just one, and everybody knows the number of decoy TXOs has been reduced by one.
The worst case would be if you'll need to use 5 TXOs owned by you, then there would be no decoys!!
As it can't be that way, I would like an explanation of how is this done in Monero.
